According to Proofpoint’s latest survey of UK CISOs, 53% of CISOs and CSOs reported that their organisations suffered at least one major cyber attack in 2020, with 14% suffering multiple attacks.
This trend will not decline in 2021, with 64% expressing concern that their organization is at risk of attack in 2021. Larger enterprises face greater threats, with 89% of CSOs and CISOs expressing concern among organizations with more than 2,500 employees, and 83% of organizations with more than 5,000 employees are concerned about being attacked. But more worryingly, 28% of respondents still don’t think cyberattacks will cause major trouble in 2021.
Ransomware is the biggest threat
According to Risk Based’s annual analysis of global data breaches, the number of global data breaches fell by half in 2020 to less than 4,000, but the number of leaked data records more than doubled and ransomware leaks over the same period also doubled, indicating that attackers are focusing more on ransomware, which has gradually become one of its “standard operations”.
In 2021, with the rapid adoption of cloud computing, ransomware will increasingly target cloud storage to maximize impact and increase leverage to improve profits, expand enterprise data breach size and risk.
Proofpoint’s survey shows that 46% of CSOs/CISOs consider ransomware to be the biggest cybersecurity threat to their business in the next two years. This is followed by cloud account compromise (39%), insider threats (33%) and phishing (30%).
Notably, only 24% of CSOs/CISOs consider impersonation attacks and business email attacks (BECs) to be the biggest potential cyber threats. But the fact that BEC attacks have quickly become one of the world’s most costly cyber risks (the FBI estimates BEC to cost $26.5 billion over three years) suggests that many IT leaders underestimate BEC risks.
Cybercriminal syndicates collaborate with each other
While ransomware remains the biggest threat facing businesses, an important change that cannot be ignored in 2021 is the collaboration between cybercriminal groups.
The three most common ways cybercriminals exploit to monetize attacks are BEC, email account compromise (EAC), and ransomware. In the past, many attackers specializing in BEC and EAC tended not to act as initial access proxies for ransomware, even if they had the necessary access rights. Likewise, ransomware attackers do not exploit BEC and EAC attacks. But Proofpoint believes that will change in 2021 as threat actors increasingly collaborate for more effective attacks and higher profits.
For example, we will see a company being attacked by an EAC, and the attacker “resells” access to another group to carry out a ransomware attack, or an EAC group upskills and starts exploiting commercially available ransomware tools. Also watch out for more advanced BEC and EAC attacks.
Human error is the biggest risk
55% of CISOs/CSOs surveyed believe that human error/cybersecurity apathy remains the biggest risk to their business regardless of the cybersecurity solution adopted.
Employees with the following behaviors are most likely to cause a cyber attack to an enterprise:
Clicking on malicious links or downloading infected files (43%);
fell victim to phishing emails (39%);
Deliberately leaking data (35%);
Unauthorized use of devices and apps (35%).
But while IT leaders are aware of the risks employees may pose to their business, 44 percent of respondents said they don’t know who the most at-risk employees are in their organization.
Staff training and awareness is a top priority
Improving employee training and awareness is a top priority, but barriers remain. Despite the high risk that human error and lack of cybersecurity awareness poses to organizations, only 28 percent of businesses surveyed admitted to conducting more than two comprehensive security awareness training events per year.
However, 73% of respondents believe that cybersecurity awareness training for employees needs to be improved. Despite the many challenges facing CISOs, 49% of CISOs surveyed have (security awareness training) as their top priority in 2021.
Unfortunately, this can be an uphill battle for many CSOs/CISOs, as 54% believe limited time and resources are barriers to developing an effective security awareness training program, while 50% believe the board has no Pay enough attention to the importance of effective network security protection.
Businesses are still not ready for safe remote work
In 2021, many businesses are looking for long-term remote work plans for their employees.
Although most businesses have had nine months to plan and prepare since the start of the coronavirus pandemic, only 22% of CISOs believe their workforce is adequately capable and equipped to work remotely Due to the hasty implementation of remote work, many support tasks have not kept up (IT and network security, personnel training).
As reflected in the survey data, 64% of CISOs believe their organizations are currently more vulnerable to cyber threats due to remote work.
Cybersecurity budget expected to increase
73% of CSOs/CISOs surveyed expect their cybersecurity budgets to increase over the next two years. 25% expect their budget to increase by more than 10%. The CSOs/CISOs surveyed also reported that investing in hiring new talent and improving workforce skills is the second-highest priority in 2021 (47%), after increasing employee cybersecurity awareness (49%).
“It is encouraging that most IT leaders are aware of the risks and challenges they face,” said Andrew Ross, CISO at Proofpoint. “However, there is concern that business email attacks are not getting the attention they deserve because it More prevalent than ransomware, and still capable of causing huge financial damage. Businesses are making employee security awareness a priority, which is a positive sign, as regular and comprehensive security awareness training is critical to building a highly resilient security culture. People-centred A strategy is a must for organizations, starting with identifying the most vulnerable users and making sure they have the knowledge and tools to protect themselves and the business.”